Does MAP_FIXED inhibit execmem denial?
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 21 11:38:45 UTC 2006
On Thu, 2006-04-20 at 11:16 -0700, John Reiser wrote:
> Stephen Smalley wrote:
>
> >>However, under all released FC5 kernels including 2.6.16-1.2096_FC5,
> >>I see no execmem complaints. Strace of typical execution begins:
> >
> >
> > Hmmm...shouldn't.
> >
> > # /usr/sbin/getsebool allow_execmem
> > (If on, /usr/sbin/setsebool allow_execmem=0, or run your test under a
> > confined domain.)
> > # cat /selinux/checkreqprot
> > # execstack -q /path/to/program
>
> Thank you for diagnosing. allow_execmem is "on" under the installed
> selinux-policy-targeted-2.2.29-3.fc5. [There have been no changes
> to booleans after default install of FC5 except via "yum upgrade".]
Yes, execmem is allowed by default to the unconfined_t domain, so you
have to consciously choose to disable it. Otherwise, the system would
be broken out of the box for a lot of users.
setsebool -P to make that permanent (preserved across reboots). But
note it will break some programs.
>
> Transcript:
> -----
> # /usr/sbin/getsebool allow_execmem
> allow_execmem --> on
> # /usr/sbin/setsebool allow_execmem=0
> # cat /selinux/checkreqprot ## Note the output '1' on the next line.
> 1# execstack -q ./date.OK
> execstack: "./date.OK" has no section headers
> ## The info would be in a PT_GNU_STACK Elf32_Phdr "segment header",
> ## not in any Elf32_Shdr.
> ## But anyway, there is no PT_GNU_STACK in ./date.OK, either.
>
> # strace ./date.OK
> execve("./date.OK", ["./date.OK"], [/* 22 vars */]) = 0
> old_mmap(0xc06000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, \
> -1, 0xc06000) = -1 EACCES (Permission denied) ## Now I understand.
> # rpm -qa | grep selinux
> libselinux-devel-1.30-1.fc5
> selinux-policy-2.2.29-3.fc5
> selinux-policy-targeted-2.2.29-3.fc5
> libselinux-1.30-1.fc5
> libselinux-python-1.30-1.fc5
> #
> -----
>
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list